The present invention relates to authorized user recognition in a distributed computer system and, more particularly, to the use of computer passwords and other computer user recognition protocols.
There is an inherent danger in any computer system where intruders, using normal channels, may access sensitive or classified information for malicious purposes. Unauthorized users can cause many problems for computer systems. They may modify software to cause unwanted events to occur or to benefit themselves. They may access private or classified data, copy proprietary software, etc. While doing all this, they can seriously impact all computer-based operations when their use of computer resources causes deterioration of response times or denial of service for legitimate users. Such access can be accomplished in a number of ways, e.g., the user claims to be someone else, the user diverts the access path to another computer system, the user accesses the system before a legitimate user logs off, and the like.
Access can be gained by persons who observe a legitimate logon session within an open communication network and later masquerade as that legitimate user by using the information seen. Simple, user-selected and often personally related passwords can be "guessed" by intruders or programs written by them. Legitimate sessions may be recorded from the communication network for later playback or an intruder may "piggyback" a legitimate session by using the system before the user has logged out.
To guard against such attacks, the system must protect itself by authenticating its users. Passwords and authentication responses can also be obtained by collusion or surreptitious means. These are outside the scope of the authentication process. The present invention's effectiveness against that type of an attack is limited to the case where only an incomplete set of responses was obtained and thus tests are failed.
The use of passwords to authenticate users is the most prevalent means of controlling access currently in use. In many cases, the users select their own passwords or continue to use the group password. Studies have shown that most users select passwords that are easy to remember, generally personal in nature and seldom change them. Under these circumstances, they are easy to guess either by a motivated individual or a simple program using a random word generation technique.
Some systems may use an authentication means such as requesting the user to supply a sequence of names, etc. in conjunction with a password. This makes entry more difficult but is still vulnerable if the logon procedure is observed and the response identified or the expected response is easy to guess. Neither the authentication mechanism nor the password scheme provide the protection against piggybacking, the use of a system before a legitimate user logs off, imbedded in the present invention.
Accordingly, there is a need for a foolproof means of recognizing and authenticating an authorized user in a computer system.